Organisations have an obligation towards their personnel, that extends to them informing staff of what’s expected of them within the context of privacy protection and PII – both on a general and topic-specific level.
In their capacity as PII controllers, organisations should provide ongoing training and awareness programmes, and adhering to a robust disciplinary policy that sets clear expectations on both sides, in the event of a data breach.
ISO 27701 6.4.2 contains three main sub-clauses that deal with various aspects of employment-specific privacy protection topics.
Each topic contains guidance from a number of ISO 27002 controls, presented within the context of organisational privacy information management and PII protection:
Additional PIMS-specific guidance relating to the processing of PII can be found in clause 6.4.2.1, which is also linked to UK GDPR legislation.
Please note that GDPR comparisons are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Management play a key role in maintaining privacy protection standards – both from an administrative perspective, and also in ensuring staff understand what’s expected of them, and are conducting themselves accordingly.
Senior management should ensure that all personnel:
Ongoing workplace training ensures that staff are kept up to date with organisational privacy protection policies (general and topic-specific), changes within PII legislation and sector-specific regulatory guidelines.
As a general approach, organisations should implement periodic staff training programs (including during the on-boarding phase) that align specifically with their own general and topic-specific privacy protections policies, and PIMS-related requirements.
Training formats can include:
Staff with a specialised role to play in privacy protection – e.g. ICT maintenance staff – should benefit from specialised training plans that takes into account the integral role they play in safeguarding PII.
Training plans/sessions should conclude with an assessment that provides the organisation with a top-down view of competency levels on an employee-by-employee basis.
To complement workplace training, organisations should also roll-out privacy protection awareness programs that provide staff with a range of materials that act as information points on the topic of PII and organisational privacy protection.
Awareness programs may include:
Awareness efforts should be focused on:
PII should be treated as its own distinct topic within privacy protection training programmes.
Staff need to be made acutely aware of the specific legal, commercial, reputational and disciplinary consequences that result from the misappropriation and/or mishandling of PII.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations should develop disciplinary procedures that cater for individuals who have violated general or topic-specific privacy protection policies.
Prior to any disciplinary action being taken, it’s important that the organisation confirms that a policy violation has indeed taken place (see ISO 27002 5.28).
Disciplinary procedures should take into account:
Disciplinary actions in the event of a confirmed breach should be used as a deterrent for similar activity, and should take into account the organisation’s obligations as a PII controller and processor, along with all relevant laws, regulatory guidelines and contractual obligations.
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.4.2.1 | Management Responsibilities | 5.4 – Management Responsibilities for ISO 27002 | None |
6.4.2.2 | Information Security Awareness, Education and Training | 6.3 – Information Security Awareness, Education, and Training for ISO 27002 | Article (39) |
6.4.2.3 | Disciplinary Procedures | 6.4 – Disciplinary Process for ISO 27002 | None |
We’ve got you covered.
If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to ISO 27701, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.
Here to help when you need it.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.